TryHackMe: Advent of Cyber 2 [Day 6] Be Careful with what you Wish on a Christmas Night

Room: Advent of Cyber 2

Difficulty: Beginner

This year, Santa wanted to go fully digital and invented a “Make a wish!” system. It’s an extremely simple web app that would allow people to anonymously share their wishes with others. Unfortunately, right after the hacker attack, the security team has discovered that someone has compromised the “Make a wish!”. Most of the wishes have disappeared and the website is now redirecting to a malicious website. An attacker might have pretended to submit a wish and put a malicious request on the server! The security team has pulled a back-up server for you on MACHINE_IP:5000. Your goal is to find the way the attacker could have exploited the application.

Here is the page from the backup server for us to investigate:

Question#2 What vulnerability type was used to exploit the application?

I am going to start out here by opening OWASP Zap and doing an automated scan:

After the scan completes, you can check the alert tab to see if anything was found. Here we can see two XSS alerts:

Interestingly, neither “Persistent Cross Site Scripting” or “Reflected Cross Site Scripting” worked when I input the answer, so I actually used “Stored Crosssite Scripting”.

This particular XSS was referenced in the materials as a type that can be used in comment posts like we have on the wish webpage.

Question #3 What query string can be abused to craft a reflected XSS?

If you enter a wish, you will see a lot of evidence of XSS pop up.

Looking through all the entries, you will see the “q” query string being utilized multiple times through the search function:

By submitting your own search query, you can confirm this :

Question # 5 Run a ZAP (zaproxy) automated scan on the target. How many XSS alerts are in the scan?

Looks like we already answered this one above, it was 2.

Happy Hacking! ❤